Skip to content

Commit

Permalink
reproduce report of CWE-918 from #1677
Browse files Browse the repository at this point in the history
  • Loading branch information
paskal committed Oct 10, 2023
1 parent eba4473 commit e3d9f99
Showing 1 changed file with 35 additions and 0 deletions.
35 changes: 35 additions & 0 deletions backend/app/rest/api/rest_public_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -477,6 +477,41 @@ func TestRest_FindUserComments(t *testing.T) {
}
}

func TestRest_FindUserComments_CWE_918(t *testing.T) {
ts, _, teardown := startupT(t)
defer teardown()

arbitraryUrlComment := store.Comment{Text: "bad URL test",
Locator: store.Locator{SiteID: "remark42", URL: "https://j5pxshabxb5037lms6z182pkjbp4d01p.oastify.com"}}
aHrefTitleComment := store.Comment{Text: "bad title test", PostTitle: "<a href=\"https://j5pxshabxb5037lms6z182pkjbp4d01p.oastify.com\">test</a>",
Locator: store.Locator{SiteID: "remark42", URL: "https://radio-t.com/blah1"}}
urlTitleComment := store.Comment{Text: "bad title test", PostTitle: "https://j5pxshabxb5037lms6z182pkjbp4d01p.oastify.com",
Locator: store.Locator{SiteID: "remark42", URL: "https://radio-t.com/blah2"}}

addComment(t, arbitraryUrlComment, ts)
addComment(t, aHrefTitleComment, ts)
addComment(t, urlTitleComment, ts)

res, code := get(t, ts.URL+"/api/v1/comments?site=remark42&user=provider1_dev")
assert.Equal(t, http.StatusOK, code)

resp := struct {
Comments []store.Comment
Count int
}{}

err := json.Unmarshal([]byte(res), &resp)
assert.NoError(t, err)
require.Equal(t, 3, len(resp.Comments), "should have 2 comments")

assert.Equal(t, "https://j5pxshabxb5037lms6z182pkjbp4d01p.oastify.com", resp.Comments[0].PostTitle, "unsanitised post title")
assert.Equal(t, "https://radio-t.com/blah2", resp.Comments[0].Locator.URL)
assert.Equal(t, "&lt;a href=\"https://j5pxshabxb5037lms6z182pkjbp4d01p.oastify.com\" rel=\"nofollow\"&gt;test&lt;/a&gt;", resp.Comments[1].PostTitle, "unsanitised post title")
assert.Equal(t, "https://radio-t.com/blah1", resp.Comments[1].Locator.URL)
assert.Equal(t, "", resp.Comments[2].PostTitle, "empty from the first post")
assert.Equal(t, "https://j5pxshabxb5037lms6z182pkjbp4d01p.oastify.com", resp.Comments[2].Locator.URL, "arbitrary URL provided by the request")
}

func TestRest_UserInfo(t *testing.T) {
ts, _, teardown := startupT(t)
defer teardown()
Expand Down

0 comments on commit e3d9f99

Please sign in to comment.